In September 2025, Ontario's Information and Privacy Commissioner issued the first administrative monetary penalty under the Personal Health Information Protection Act. The case wasn't a ransomware breach. It was a physician misusing his access for marketing — and the precedent it sets reaches every Canadian healthcare custodian, including dental practices.

What actually happened

On a date around mid-2025, a physician practising in Ontario was granted credentialed access to a shared electronic health record system used by several hospitals. The system held maternity and newborn records — including patient contact information for parents of newly delivered children.

Over a three-week period, the physician conducted 146 targeted searches in the EHR for newborn males. At least 91 of those families were then solicited by phone or text message for circumcision services at the physician's private clinic — services unrelated to the clinical role that granted him access to the records.

The Information and Privacy Commissioner of Ontario investigated and, in September 2025, issued PHIPA Decision 298: the first administrative monetary penalty levied under the Act since the AMP power came into force in January 2024.

The penalties:

  • $5,000 AMP on the physician personally
  • $7,500 AMP on the private clinic
  • Total: $12,500 in monetary penalties, plus the published decision on the IPC's public register
Why this matters more than the dollar figure. The $12,500 is modest. But the enforcement model it inaugurated is not. Before January 2024, the IPC could investigate, name, and publicly document — but it could not fine. Decision 298 establishes that PHIPA enforcement has crossed from documentation to financial penalty, with statutory caps of $50,000 per individual and $500,000 per custodian.

Why dental practices should be paying attention

Dental practices are PHIPA-covered "health information custodians." Every patient chart, treatment note, appointment record, and billing detail that connects to a named individual is personal health information under the Act. The same obligations that applied to the physician in Decision 298 apply to every dental practice in Ontario, and similar privacy legislation governs dental practices in other Canadian provinces.

Three structural realities make the post-Decision 298 environment more demanding for dental practices specifically:

1. Decision 298 wasn't about a breach. It was about access.

The physician did not lose a laptop. No ransomware encrypted a server. No external attacker bypassed a firewall. The penalty applied to an authorized user misusing data that they had legitimate access to under a clinical role.

This matters for dental practices because the same access-misuse pattern is structurally available in any practice management system. Receptionists, hygienists, contracted billing staff, locum providers, and external IT contractors all routinely hold credentialed access to patient information. The Decision 298 precedent applies to any "use or disclosure" outside the scope of the clinical purpose for which access was granted.

2. The "reasonable safeguards" standard now has financial consequences.

PHIPA s. 12 requires custodians to take "reasonable steps" to protect personal health information. Before January 2024, when the IPC found that a custodian had not taken reasonable steps, the consequence was a published finding. After Decision 298, the consequence can now be a monetary penalty up to the statutory cap.

The regulator's question in any incident review becomes: what reasonable steps were in place when the breach or misuse occurred? The answer needs to be specific and documented. "We had a username and password" is not reasonable safeguards in 2026. Documented role-based access controls, periodic audit reviews of who accessed what records, multi-factor authentication on practice management systems, and incident response procedures are what now reads as defensible.

3. The IPC's published register is a public document.

PHIPA decisions are not redacted to anonymize the custodian. The clinic in Decision 298 is named. The physician is named. Any patient or referring provider Googling the practice in subsequent months finds the decision on the public register, with the regulator's findings of fact set out in plain language.

For a dental practice, this is reputational risk that doesn't depend on a journalist picking up the story. The IPC publishes its decisions as a matter of statutory function. A finding against a named practice is on the public web within days of being issued.

What changed about the threat environment, concretely

The pre-2024 model was: investigate → finding → publish → practice changes procedure → done. The post-2024 model, demonstrated by Decision 298, is: investigate → finding → publish → monetary penalty assessed → practice changes procedure → done.

The additional step is the one that matters operationally. A dental practice that experiences a privacy event — whether breach, misuse, or unauthorized disclosure — now faces a question about its cyber-insurance coverage that didn't exist before: does the policy respond to PHIPA AMPs, and what was the practice's documented compliance posture at the time of the event?

Cyber-insurance carriers in Canada have been adjusting underwriting questionnaires since Q1 2025 to ask specifically about PHIPA compliance documentation, audit logs of EHR access, MFA on patient records systems, and incident response readiness. A practice that cannot answer those questions specifically may find coverage adjusted, premiums increased, or claims contested.

What dental practices should be doing now

Three concrete actions that map directly to what the IPC will look for in an incident review:

1. Document who has access to patient records, and to what scope.

For each staff member, contractor, and external vendor with credentialed access to your practice management system: what records can they see, what actions can they take, and what business purpose justifies that access scope. Write it down. The IPC's "reasonable safeguards" question starts with whether the custodian even knew who had access to what.

2. Set up audit logging on EHR / practice management system access.

Most major practice management systems (Dentrix, Open Dental, ABELDent, Tracker, and others) have audit logging available, often disabled by default. Turn it on. Review the logs periodically — not because you'll catch every misuse, but because the documented review practice is itself part of the reasonable safeguards posture.

3. Audit external exposure independently.

PHIPA's reasonable safeguards standard is not limited to internal access controls. External attack surface — exposed services, email authentication, credentials in breach databases, infrastructure visible from the public internet — is what attackers use to enter the practice in the first place. An external exposure assessment by a third party gives the practice documented evidence of what was visible to attackers at a point in time, plus a remediation playbook for closing each gap.

The point of independent third-party assessment is documentation. Even if a breach later occurs, having a documented record of the assessment, the remediation actions taken, and the dates each gap was closed is the difference between "we took reasonable steps" and "we will look into it."

What the next decisions might look like

Decision 298 is the first AMP under PHIPA, but it is unlikely to be the last. The IPC's January 2024 "Guidance for the Health Care Sector on Administrative Monetary Penalties" sets out the framework for when AMPs are reserved — generally, more serious cases, repeated non-compliance, situations where a finding alone would not deter, or situations where the custodian derived an economic benefit from the contravention.

Predictably, the next AMP decisions will likely address:

  • Ransomware incidents at clinics that did not have documented reasonable safeguards (MFA, backup integrity, incident response)
  • Email-impersonation incidents where the practice had no DMARC enforcement on its sending domain (the IPC has flagged email-authentication posture as a basic-hygiene item)
  • Repeated improper access by authorized users — the Decision 298 pattern with different facts
  • Vendor / processor failures where the practice cannot demonstrate it conducted reasonable due diligence on the vendor's safeguards

The common thread is documented compliance posture. Practices that can produce specific, dated documentation of their safeguards at the time of an event will fare meaningfully better in any regulator review than practices that respond to an inquiry with a procedural description rather than a documented record.

What this means in two sentences

PHIPA enforcement has moved from documenting to fining. For Canadian dental practices, that shift makes documented, dated, specific compliance posture the single most valuable asset going into any incident review — and the absence of it the single largest exposure.

About this analysis. LeakTrace is a Canadian cybersecurity intelligence firm focused on small- and mid-market practices in regulated sectors. We monitor breach databases, infrastructure exposure, and email-authentication posture for Canadian healthcare, legal, and professional services organizations. Our briefs document what an external observer would see about a practice's exposure — the same view an attacker would have. If you'd like a brief for your practice, contact us at [email protected].

Sources

  • Information and Privacy Commissioner of Ontario — PHIPA Decision 298 (September 2025): the IPC's published decision documenting the physician misuse of EHR access and the imposition of administrative monetary penalties. Available on the IPC public register at ipc.on.ca.
  • Information and Privacy Commissioner of Ontario — "Guidance for the Health Care Sector on Administrative Monetary Penalties" (January 2024): the IPC's published framework for when AMPs will be assessed and the factors the IPC considers when calibrating penalty amounts.
  • Personal Health Information Protection Act, 2004 (Ontario), as amended — see s. 12 (reasonable safeguards) and the AMP provisions effective January 2024 with statutory caps of $50,000 per individual and $500,000 per organization.
  • Borden Ladner Gervais LLP — "PHIPA Decision 298: First imposition of administrative monetary penalties" (September 2025): legal analysis of the decision and its implications for Ontario health information custodians.
  • Fasken Martineau DuMoulin LLP — "First Monetary Penalties Issued under Ontario's Health Privacy Law: Practical Lessons for the Health Sector" (October 2025).

This article is published for educational purposes and does not constitute legal advice. Dental practices with PHIPA compliance questions should consult qualified privacy counsel for advice specific to their situation.